Microsoft: You looking at me funny? Oh, you just want to sign in

Password-less logins for Edge users with Windows Hello or a FIDO2 dongle. Like, 3 people

facial_recognition

It's taken a while, but it has finally arrived. You can sign into your Microsoft account with a suitable dongle or Windows Hello, with passwords consigned to history.

Well, that's the theory. There are, as ever, some caveats.

Microsoft's corporate veep of all things identity, Alex Simons, trumpeted that the 800 million people who use a Microsoft account will now be able to sign in without username or password.

Unless there has been a staggeringly fast rollout of the Windows 10 October 2018 Update, that number is likely to be far, far lower since, yes, you will need to have updated to the problematic 1809 build of Windows 10 to actually use the thing.

If you are one of the lucky few to have received the 1809 update, open Edge (yes, for a purpose other than downloading the likes of Chrome or Firefox) and sign into your Microsoft account. Head to security options and follow the instructions for setting up a security key or using Windows Hello, and you're done. Password-less sign-ins.

Microsoft has been trailing the tech for a while, slipping technology from the Fast IDentity Online (FIDO) alliance into Windows 10 back in 2015 and endorsing the FIDO's Client To Authenticator Protocol (CTAP) protocol along the WebAuthn API earlier this year.

Microsoft has now implemented the technology into its services and, with Windows 1809 finally seeping out from under the bathroom door, has turned it on.

Unlike a password, FIDO2 generates a public and private key when the user registers a credential. The private key is stored on the device and, in Microsoft's implementation, the public key lives in Redmond's cloud and is registered with the user's Microsoft account. Any biometric or PIN information never actually leaves the device.

Upon signing in, Microsoft's account system flings a nonce at the PC or FIDO2 device.

For our UK readers who may have just passed their tea through their noses, we're pretty sure Microsoft is referring to a single-use arbitrary number in the cryptographic sense rather than anything decidedly less than savoury.

The PC or device then uses the private key to sign the nonce, which is returned to Microsoft and verified against the public key and the user authenticated. Simple!

Thus to achieve this password-less future, the user needs some biometrics (face or fingerprint) or a PIN and also a secure enclave, either on the Windows 10 PC or on a plug-in FIDO2 device.

Microsoft's implementation obviously requires Edge, and the software giant reckons it is the first out of the gate with Windows Hello removing the need for a username. However, Google's Chrome browser has enjoyed a version, in beta form at least, since July and Mozilla has also committed to supporting the standard.

Apple, of course, has its own special walled garden, with users squinting at their iPhones or prodding TouchBars to achieve a similar effect. Safari continues to be notably absent from the FIDO party.

In news that will strike fear into the hearts of admins still reeling from this week's Azure Multi-Factor Authentication outage, Microsoft plans to build the "same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory".

Enterprises can expect to start dealing with employees losing their FIDO2 dongles in preview form from early next year. ®




Biting the hand that feeds IT © 1998–2018